A logging RACI matrix assigns who is Responsible, Accountable, Consulted, and Informed for producing, protecting, retaining, reviewing, and responding to logs. Clear logging raci matrix roles prevent the common audit failure where everyone assumes another team owns log review, retention decisions, access to the SIEM, or incident evidence. For ISO 27001 control 8.15, the matrix should show one accountable owner for each logging activity while recognizing that IT, security, HR, Legal, and leadership each have distinct decisions to make.
Why does a RACI matrix prevent logging control gaps?
ISO 27001:2022 control 8.15 requires that “logs that record activities, exceptions, faults and other relevant events shall be produced, stored, protected and analysed.” That statement contains several separate obligations. A small organization may have one IT administrator performing most technical work, but that does not mean one person should silently own every decision behind those obligations.
For example, you may be responsible for enabling Microsoft 365 audit logging, forwarding firewall events to a SIEM, and investigating failed administrator logins. Legal may need to be consulted before deleting records subject to a litigation hold. HR may need to be consulted when employee monitoring or disciplinary evidence is involved. Leadership must approve the risk when budget or staffing means a critical system cannot yet send logs to the central platform.
A RACI makes those boundaries visible. It also gives an external auditor evidence that logging is governed rather than dependent on institutional memory. Instead of answering, “I usually check those alerts when I have time,” you can show the approved activity, owner, frequency, escalation route, and records created.
- Responsible (R): performs the work, such as configuring log forwarding or completing a weekly review.
- Accountable (A): owns the outcome and approves decisions; each activity should have one accountable role.
- Consulted (C): provides input before a decision or action, usually through two-way communication.
- Informed (I): receives updates or evidence after the fact; this is one-way communication.
For a sole IT administrator, the most important distinction is between being responsible and being accountable. You may be both for technical operations, but the executive owner should be accountable for accepting material logging risk, funding improvements, and approving the policy. That separation is practical evidence of management oversight, not unnecessary bureaucracy.
What logging raci matrix roles should IT, HR, Legal, security, and leadership have?
Use the following matrix as a starting point. Adapt job titles to your organization, but preserve the decision ownership. In a small business, “Security” may be a designated security coordinator role held by the IT administrator, while “Leadership” may be the CEO, COO, or risk owner.
| Logging activity | IT | Security | HR | Legal | Leadership | Evidence for audit |
|---|---|---|---|---|---|---|
| Maintain the logging standard, source inventory, and minimum event requirements | R | A | C | C | I | Approved logging standard; source inventory |
| Enable and validate logs from endpoints, identity systems, servers, network devices, and SaaS applications | R | A | I | I | I | Configuration exports; onboarding tickets; test results |
| Operate the SIEM or central log platform, including role-based access and backup configuration | R | A | I | I | I | Access review; platform settings; backup records |
| Perform routine alert triage and document investigation outcomes | R | A | I | I | I | Alert queue; investigation tickets; analyst notes |
| Define retention periods and approve deletion or archival rules | R | C | C | A | I | Retention schedule; approved lifecycle settings |
| Apply a legal hold or preserve logs for an investigation, dispute, or regulatory request | R | C | C | A | I | Legal-hold notice; preservation ticket; export hash |
| Investigate suspected employee misuse or policy violations | R | A | C | C | I | Restricted case record; chain-of-custody notes |
| Approve exceptions where a system cannot meet logging requirements | R | C | I | C | A | Risk acceptance; remediation date; compensating control |
| Review logging coverage, significant incidents, and overdue remediation | R | A | I | I | I | Monthly review minutes; dashboard; action register |
| Fund material tooling, retention, and staffing decisions | C | R | I | I | A | Budget approval; management review record |
The matrix does not mean HR or Legal must inspect routine authentication events. Their involvement begins when logs become employee evidence, contain sensitive personal data, support a formal investigation, or must be retained beyond normal operational needs. Keeping that boundary explicit helps avoid unnecessarily broad access to sensitive records.
Consider Northstar Pay, a fictional 42-person payments company. Its sole IT administrator manages Microsoft 365, Intune, AWS, Cloudflare, Okta, and a managed detection and response provider. The administrator is responsible for forwarding Okta sign-in events, AWS CloudTrail, Cloudflare administrative changes, and endpoint alerts to Microsoft Sentinel. The security coordinator role is accountable for confirming that those sources remain connected and that critical alerts are investigated. The COO is accountable for accepting the risk if an older payment-reconciliation application cannot export usable audit events until it is replaced.
How should logging ownership work in difficult organizational models?
What changes in a small organization?
One person can legitimately hold IT and security responsibilities, but do not write a matrix that lists that person as accountable for every outcome. Assign the owner-manager, CEO, or COO as accountable for policy approval, risk acceptance, and management review. Have Legal support through outside counsel if no internal legal function exists. HR may be an office manager or outsourced HR provider, consulted only for employee-related investigations and monitoring practices.
Document the role, not only the person. “IT Administrator” survives turnover better than “Jamie Smith.” If one person wears multiple hats, add a note to the matrix explaining the compensating oversight: quarterly leadership review of alert metrics, open exceptions, and completion of access reviews.
What changes when an MSP or MDR provider handles security monitoring?
Outsourcing alert monitoring does not outsource accountability. Your internal security owner remains accountable for the logging control, while the MSP or MDR provider may be responsible for specified monitoring, triage, and escalation tasks. The contract or statement of work should identify log sources, retention in the provider platform, alert severity definitions, notification deadlines, evidence access, and offboarding procedures.
Do not mark an MSP simply as “Security” without documenting the boundary. If the provider receives alerts but your IT administrator must disable accounts or isolate endpoints, the provider is responsible for escalation and initial analysis; internal IT is responsible for containment; the internal security owner is accountable for the end-to-end incident workflow.
What changes in a federated organization?
In a federated model, central security may set the standard and operate the central SIEM while business units own applications and local administrators. Assign central security accountability for the enterprise logging standard and monitoring platform. Assign each application or system owner responsibility for enabling correct event generation, resolving ingestion failures, and validating that application-specific events are meaningful.
Prevent “shared accountability” by creating separate rows for central platform operation and local source onboarding. A central team cannot be accountable for application events it cannot configure, and a business unit should not be accountable for a SIEM retention setting it cannot change.
How can you operationalize the logging RACI in a ticketing tool?
Your RACI becomes audit-ready when each recurring responsibility produces a ticket, report, approval, or review record. For a sole administrator, use a small number of repeatable Jira Service Management tickets rather than trying to manually document every event.
At Northstar Pay, the IT administrator uses Jira Service Management with a “Logging Control” request type and the following fields:
Request type: Logging Control
System: Okta / AWS / Microsoft 365 / Cloudflare / Intune
Activity: Source onboarding / Weekly review / Retention change / Exception
Control reference: ISO 27001:2022 A.8.15
Responsible owner: IT Administrator
Accountable owner: Security Coordinator
Consulted roles: Legal / HR / Application Owner
Evidence link: Sentinel workbook, configuration export, or incident case
Review due date: 2026-08-07
Risk decision required: Yes / No
Create recurring weekly tickets for alert-review completion, monthly tickets for source-health checks, and quarterly tickets for privileged access review to the SIEM. Use automation to assign the accountable security owner when a ticket is marked complete, ensuring that “reviewed” is not merely self-attested by the person who performed the work.
For retention changes, route the ticket to Legal before implementation. The ticket should state the affected source, current and proposed retention, reason for the change, whether a hold applies, and the technical verification after the change. For example, changing Sentinel Log Analytics retention from 90 to 180 days is both a cost decision and a legal-records decision; it should not be completed as an undocumented infrastructure adjustment.
How often should a logging RACI matrix be reviewed?
Review the matrix at least annually, during the ISO 27001 management review cycle, and whenever a meaningful change occurs. Trigger an out-of-cycle review when you introduce a new SIEM or MDR provider, migrate identity platforms, acquire a company, change legal retention requirements, experience a significant incident, or lose the employee holding an accountable role.
- Weekly: confirm alert review and escalation tickets are completed.
- Monthly: review log-source health, critical ingestion failures, privileged SIEM access, and overdue remediation.
- Quarterly: review metrics with leadership, including coverage gaps, high-severity alerts, exceptions, and retention costs.
- Annually: approve the RACI, logging standard, retention schedule, and audit evidence set.
Keep the approved matrix with your ISO 27001 control documentation, then create your first recurring “Logging Control” ticket this week for the log source most likely to be questioned in your external audit.